GNU bug report logs - #47412
env: fragile argument parsing

Previous Next

Full log

Message #8 received at 47412 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Frank Busse <f.busse <at> imperial.ac.uk>, 47412 <at> debbugs.gnu.org
Subject: Re: bug#47412: env: fragile argument parsing
Date: Fri, 26 Mar 2021 20:12:53 +0000

On 26/03/2021 15:00, Frank Busse wrote:
> Hi,
> 
> 
> env crashes for some nonsensical command line arguments (reported by
> KLEE), e.g.:
> 
> ---
>> python3 -c "import os; os.execl('./src/env', 'env', b'--s=\"\"\t\x0b')"
> 
> =================================================================
> ==140651==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x603000000028 at pc 0x562e1cc1078a bp 0x7ffd59964dd0 sp 0x7ffd59964dc0
> WRITE of size 8 at 0x603000000028 thread T0
>   #0 0x562e1cc10789 in build_argv src/env.c:511
>   #1 0x562e1cc10982 in parse_split_string src/env.c:548
>   #2 0x562e1cc127bc in main src/env.c:849
>   #3 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
>   #4 0x562e1cc0e54d in _start (coreutils-8.32/src/env+0x654d)
> 
> 0x603000000028 is located 0 bytes to the right of 24-byte region
> [0x603000000010,0x603000000028)
> allocated by thread T0 here:
>   #0 0x7f1c16a3b459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
>   #1 0x562e1cc19463 in xmalloc lib/xmalloc.c:41
>   #2 0x562e1cc0ff54 in build_argv src/env.c:404
>   #3 0x562e1cc10982 in parse_split_string src/env.c:548
>   #4 0x562e1cc127bc in main src/env.c:849
>   #5 0x7f1c167e3b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

Confirmed on an ASAN build of the latest source.
I'll fix it up.

thanks!
Pádraig

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.